Category: Ubuntu

It was a bit difficult to find any real information on fixing the latest openSSL CVE-2016-0800 (DROWN attack) so I decided to write this quick post on how to update your Ubuntu Server 12.04/14.04 OpenSSL (or any debian-based distro with apache2) to the latest 1.0.2g build to avoid the DROWN/Heartbleed attacks. I’m not going to go into the details of how the exploit works and how it’s exploited as there are many blogs/sites that already go over this. Instead I will only focus on the fix, I have provided 2 methods, a method using cURL or wget.

*** UPDATED 7/4/2017 ***
Because this is a popular post, I’ve gone ahead and updated it to reflect latest SSL binaries, it’s good practice to check what the latest binaries are regardless of this post.

Ok so here is another useful filter for fail2ban. Once this plugin is installed it will prevent malicious visitors from trying to brute-force folder and file discovery. After 5 attempts to visit a non existing file/folder the visitor is banned…

Ok so here is a quick post to a common question… adding a filter to fail2ban for bot/scanners searching for files, folders or simply doing recon which can result in exploit discovery, this filter will automatically block a visitor/bot after 4 attempts to scan for a file that does not exist on your domain/server.

For owncloud to configure & work correctly apache needs to be given ownership of certain folders so their is no problem for apache to read and write data inside your website.Run the following commands.( chown -R www-data:www-data /var/www/apps )
( chown -R www-data:www-data /var/www/config )
( chown -R www-data:www-data /var/www/data )Note: Keep in mind that /var/www is just the default root folder of apache yours might be different, just make sure you make the appropriate changes so they point to your apache/web install.

Your going to want to enable mod_rewrite ( a2enmod rewrite ).

Restart your apache service ( service apache2 restart )

Create a new database in mysql and call it owncloud, create a new user and password with specific access to the owncloud database. These credentials will be used later in the process.

now lets generate a general cert with the following command ( openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt )
Note: Your going to be asked a couple of questions after you run this command, answer them as accurate as possible as this will be displayed on your cert when people try to access your site.

Edit default-ssl in sites-available folder in your apache install ( vim /etc/apache2/sites-available/default-ssl ) and comment out lines add the following lines 51 & 52 (use a #).
Then add the following lines right under
(

SSLCertificateFile /etc/apache2/ssl/apache.crt

SSLCertificateKeyFile /etc/apache2/ssl/apache.key

)

Finally run ( a2ensite default-ssl )

Restart your apache service ( service apache2 restart )

At this point your should be able to visit your box’s url ( https://localhost or https://127.0.0.1 or https://www.yourdomain.com ) and finish installing owncloud with the native install wizard.
Once your install is complete you will be able to download ownclouds own filesync client or you can use a WebDAV client to navigate through your files. You can do the same for your mobile device or tablet.

Securing Apache can be different if you have custom modules running, for this quick note/tutorial I am going to assume that it is a fresh install of Apache or a lamp stack (sudo apt-get install lamp-server^)…

I am sure you can do a lot more to “secure” your apache installation, but this is a good start, it will hide your server information from port scanners and scripts trying to detect what your server version is. This makes it much harder to exploit your box, it’s hard to exploit something you have no idea what its running.
You can also make your default directory your home directory if you wish to encrypt your files. If you want more security I would consider tools to encrypt the entire partition/drive, you can find out more about full disk encryption for uOS Server 12.04 here.

This post is important because phpmyadmin no longer just works after apt-get install, it requires additional steps to get working.
Aside from these changes, due to recent reports on phpmyadmin being exploited it’s important to secure it, you can do this in a couple of ways but I am going to assume you want access to it via web.

2 Parts

Installation of phpmyadmin

Securing the installation via htaccess

Discussing more secure methods of accessing phpmyadmin

Lets begin the install muahahaha…

Enter root mode:

sudo bash

Install:

apt-get install phpmyadmin

Open Apache Config File

vim /etc/apache2/apache2.conf

Insert the following line at the very bottom of apache2.conf

Include /etc/phpmyadmin/apache.conf

Restart Apache server:

service apache2 restart

Securing phpmyadmin from public access to web panel…

Edit phpmyadmin’s apache configuration file:

vim /etc/phpmyadmin/apache.conf

Under the directory section (<Directory /usr/share/phpmyadmin>), add the line “AllowOverride All” under “Directory Index”:

A REAL setup guide for NIC bonding in Ubuntu Server 12.04/12.04.2 because everyone online sucks at actually posting the correct information, probably due to the current explosion of online “experts” plagiarizing other “experts” online…

This was tested on a HP DL380 with Dual Broadcom NICS.

enter root mode:

sudo bash

then install the bonding drivers:

apt-get install ifenslave-2.6

edit /etc/network/interfaces

vim/etc/network/interfaces

You can pretty much copy the following into interfaces after line 5 # The loopback network interface